SANS Live Training is Available In-Person OR Live Online! Explore Upcoming Events.

Newsletters: @RISK

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data

A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

November 14, 2019

=============================================================

     @RISK: The Consensus Security Vulnerability Alert

              November 14, 2019 - Vol. 19, Num. 46


Providing a reliable, weekly summary of newly discovered attack vectors,

vulnerabilities with active exploits, and explanations of how recent

attacks worked


Archived issues may be found at http://www.sans.org/newsletters/at-risk


=============================================================


CONTENTS:

NOTABLE RECENT SECURITY ISSUES

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

MOST PREVALENT MALWARE FILES Nov. 7 - 14

============================================================


TOP VULNERABILITY THIS WEEK: Microsoft disclosed 75 vulnerabilities as part of Patch Tuesday


*************** Sponsored By AWS Marketplace ***************


Live Webcast: Proactive Threat Hunting in AWS. David Aiken, AWS solutions architect, and Shaun McCullough, SANS instructor, SEC545 Cloud Security Architecture and Operations, share real-life examples of proactive threat hunting. These experts also advise on how to build a threat hunting program for the AWS environment, including tools and techniques for discovery and analysis. November 21, 2 PM ET. http://www.sans.org/info/214745


============================================================

TRAINING UPDATE

 

-- SANS OnDemand and vLive Training

Get an 11" iPad Pro, a 12.3" Surface Pro, or Take $350 Off through December 4 with OnDemand or vLive training.

https://www.sans.org/online-security-training/specials/


-- SANS Cyber Defense Initiative(R) 2019 | Washington, DC | December 10-17 | https://www.sans.org/event/cyber-defense-initiative-2019


-- SANS Miami 2020 | January 13-18 | https://www.sans.org/event/miami-2020


-- SANS Threat Hunting & IR Summit & Training | London, UK | January 13-19, 2020 | https://www.sans.org/event/threat-hunting-europe-2020


-- SANS Tokyo January 2020 | January 20-25 | https://www.sans.org/event/tokyo-january-2020


-- SANS Amsterdam January 2020 | January 20-25 | https://www.sans.org/event/amsterdam-january-2020


-- Cyber Threat Intelligence Summit & Training | Arlington, VA | January 20-27 | https://www.sans.org/event/cyber-threat-intelligence-summit-2020


-- SANS Scottsdale 2020 | February 17-22 | https://www.sans.org/event/scottsdale-2020


-- Open-Source Intelligence Summit & Training 2020 | Alexandria, VA | February 18-24 | https://www.sans.org/event/osint-summit-2020


-- SANS Secure Singapore 2020 | 16-28 March | https://www.sans.org/event/secure-singapore-2020


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


-- Single Course Training

SANS Mentor |  https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap



********************** Sponsored Links: ********************


1) WebAuthn enables more secure and user friendly authentication. Read the white paper to learn more. http://www.sans.org/info/214750


2) Webcast November 18th at 10:30 AM ET: Blueprint for Designing a New Security Perimeter. Register: http://www.sans.org/info/214755


3) Join us at SANS Cyber Threat Intelligence Summit | Arlington, VA | Jan 20-21. http://www.sans.org/info/214760


============================================================


NOTABLE RECENT SECURITY ISSUES

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: Microsoft disclosed 13 critical bugs as part of monthly security update

Description: Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday discloses 75 vulnerabilities, 13 of which are considered "critical," with the rest being deemed "important." This month's security update covers security issues in a variety of Microsoft services and software, including the Scripting Engine, the Windows Hyper-V hypervisor, and Win32. Cisco Talos discovered one of these vulnerabilities, CVE-2019-1448 --a remote code execution vulnerability in Microsoft Excel.

Reference: https://blog.talosintelligence.com/2019/11/microsoft-patch-tuesday-nov-2019.html

Snort SIDs: 46548, 46549, 52205 - 52209, 52212, 52213, 52216, 52217 - 52225, 52228 - 52234, 52239, 52240

 

Title: LEADTOOLS toolkit contains several vulnerabilities, including remote code execution

Description: Cisco Talos recently discovered multiple vulnerabilities in the LEADTOOLS line of imaging toolkits. LEADTOOLS is a collection of toolkits designed to perform a variety of functions aimed at integrating documents, multimedia and imaging technologies into applications. All of the software is produced by LEAD Technologies Inc. LEADTOOLS offers prebuilt and portable libraries with an SDK for most platforms (Windows, Linux, Android, etc.), that are all geared toward building applications for medical systems. Various pieces of LEADTOOLS contain vulnerabilities that could be exploited by malicious actors to carry out a number of actions, including denial-of-service conditions and the execution of code remotely.

Reference: https://blog.talosintelligence.com/2019/11/vulnerability-spotlight-code-execution.html

Snort SIDs: 50824 - 50827, 51930-51938, 51447, 51448


============================================================


INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY


Google's ambitious cyber security company Chronicle is reportedly in major trouble, with many employees starting to leave and too much oversight from its new parent company.

https://www.engadget.com/2019/11/09/google-chronicle-trouble/


Microsoft says it will expand protections awarded to consumers under California's new privacy law to everyone across the U.S.

https://www.theverge.com/2019/11/11/20960113/microsoft-ccpa-privacy-law-california-congress-regulation


A fishing equipment store based in Vermont mistakenly left many of its internal passwords on Pastebin.com earlier this year.

https://krebsonsecurity.com/2019/11/retailer-orvis-com-leaked-hundreds-of-internal-passwords-on-pastebin/


A group of attackers are using political motifs and images of American politicians to infect users with a range of malware, including screenlockers and ransomware -- with mixed success.

https://blog.talosintelligence.com/2019/11/political-malware.html


Adobe patched three critical vulnerabilities in its monthly security update, including two memory corruption bugs in Adobe Media Encoder.

https://threatpost.com/adobe-critical-bugs-illustrator-media-encoder/150114/


Intel's Cascade Lake line of CPUs is affected by the Zombieload v2 vulnerability discovered earlier this year, though the company released a patch this week.

https://www.zdnet.com/article/intels-cascade-lake-cpus-impacted-by-new-zombieload-v2-attack/


Google has acquired the health care information on millions of Americans that they will reportedly attempt to monetize, despite the individuals not knowing of the partnership between Google and Ascension.

https://www.wsj.com/articles/google-s-secret-project-nightingale-gathers-personal-health-data-on-millions-of-americans-11573496790?shareToken=st98ed7303aedb45d281bc0bda02eb90b4


Britain's Labour political party was the target of two back-to-back distributed denial-of-service attacks this week in what the party called a "sophisticated and large-scale" attempt to disrupt their operations.

https://www.theguardian.com/politics/2019/nov/12/labour-reveals-large-scale-cyber-attack-on-digital-platforms


=========================================================


RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM


This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.


ID:        CVE-2019-1356

Title:    Microsoft Edge based on Edge HTML Information Disclosure Vulnerability

Vendor: Microsoft

Description: An information disclosure vulnerability exists when Microsoft Edge based on Edge HTML improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user's system. To exploit the vulnerability, in a web-based attack scenario, an attacker could host a website in an attempt to exploit the vulnerability.

CVSS v2 Base Score:    4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)


ID:        CVE-2019-1322

Title:    Microsoft Windows Elevation of Privilege Vulnerability

Vendor: Microsoft

Description: An elevation of privilege vulnerability exists when Windows improperly handles authentication requests. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system.

CVSS v2 Base Score:    4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)


ID:        CVE-2019-16253

Title:    Samsung Mobile Android Samsung TTS Privilege Escalation

Vendor: Samsung

Description: The Samsung Text-to-speech Engine System Component on Android suffers from a local privilege escalation vulnerability. The Text-to-speech Engine application for Android allows a local attacker to escalate privileges, e.g., to system privileges. A successful local attack can obtain system privilege on vulnerable phones.

CVSS v2 Base Score:    7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)


ID:        CVE-2019-5701

Title:    NVIDIA GeForce Experience Denial of Service vulnerability

Vendor: NVIDIA

Description: NVIDIA GeForce Experience contains a vulnerability when GameStream is enabled in which an attacker with local system access can load the Intel graphics driver DLLs without validating the path or signature (also known as a binary planting or DLL preloading attack), which may lead to denial of service, information disclosure, or escalation of privileges through code execution.

CVSS v2 Base Score:    4.4 (AV:L/AC:M/Au:N/C:P/I:P/A:P)


ID:        CVE-2019-2215

Title:    Linux Kernel Use-After-Free Vulnerability

Vendor:    Multi-Vendor

Description: A use-after-free in binder.c allows an elevation of privilege from an application to the Linux Kernel. No user interaction is required to exploit this vulnerability, however exploitation does require either the installation of a malicious local application or a separate vulnerability in a network facing application.

CVSS v2 Base Score:    4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)


ID:        CVE-2019-13720

Title:    Google Chrome Use-After-Free Vulnerability

Vendor:    Google

Description: Google Chrome is exposed to a Use-After-Free vulnerability in audio. The exploit uses a race condition between two threads due to missing proper synchronization between them. It gives an attacker a Use-After-Free condition that could lead to code execution scenarios.

CVSS v2 Base Score:    10 (AV:N/AC:L/Au:N/C:C/I:C/A:C)


ID:        CVE-2019-3568

Title:    WhatsApp VOIP stack buffer overflow vulnerability

Vendor:    WhatsApp

Description: A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of RTCP packets sent to a target phone number. Attackers can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploits will result in denial of service condition.

CVSS v2 Base Score:    7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)


ID:        CVE-2019-16759

Title:    vBulletin Remote Code Execution Vulnerability

Vendor:    vBulletin

Description: vBulletin allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request. The vulnerability was disclosed through an 18-line exploit that was published on Monday by an unidentified person. The exploit allows unauthenticated attackers to remotely execute malicious code on just about any vBulletin server.

CVSS v2 Base Score:    7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

er component of Oracle Fusion Middleware (subcomponent: WLS Security). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.

CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)


=========================================================


MOST PREVALENT MALWARE FILES Nov. 7 - 14:

COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510

MD5: 4a50780ddb3db16ebab57b0ca42da0fb

VirusTotal: https://www.virustotal.com/gui/file/7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510/details

Typical Filename: xme64-2141.exe

Claimed Product: N/A

Detection Name: W32.7ACF71AFA8-95.SBX.TG


SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3

MD5: 47b97de62ae8b2b927542aa5d7f3c858

VirusTotal: https://www.virustotal.com/gui/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/details

Typical Filename: qmreportupload

Claimed Product: qmreportupload

Detection Name: Win.Trojan.Generic::in10.talos


SHA 256: 6b01db091507022acfd121cc5d1f6ff0db8103f46a1940a6779dc36cca090854

MD5: 74f4e22e5be90d152521125eaf4da635

VirusTotal: https://www.virustotal.com/gui/file/6b01db091507022acfd121cc5d1f6ff0db8103f46a1940a6779dc36cca090854/details

Typical Filename: jsonMerge.exe

Claimed Product: ITSPlatform

Detection Name: W32.GenericKD:Attribute.22lk.1201


SHA 256: 46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08

MD5: db69eaaea4d49703f161c81e6fdd036f

VirusTotal: https://www.virustotal.com/gui/file/46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08/details

Typical Filename: xme32-2141-gcc.exe

Claimed Product: N/A

Detection Name: W32.46B241E3D3-95.SBX.TG


SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/details

Typical Filename: Eternalblue-2.2.0.exe

Claimed Product: N/A

Detection Name: W32.WNCryLdrA:Trojan.22k2.1201

=============================================================


(c) 2019.  All rights reserved.  The information contained in this

newsletter, including any external links, is provided "AS IS," with no

express or implied warranty, for informational purposes only.


Please feel free to share this with interested parties via email, but

no posting is allowed on web sites. For a free subscription, (and for

free posters) or to update a current subscription, visit

https://www.sans.org/account


SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743